X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=00dc219eb7694bf58a0613800f5f4f0f12ac0dc1;hp=762757bf00329a199a4e1c20c85c5c04e93def64;hb=a70da5b3ecc3160368529677006801c58cb369db;hpb=a9e1c50bb09a110d4774e6710f9322344684fa2d diff --git a/apps/s_server.c b/apps/s_server.c index 762757bf00..00dc219eb7 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -207,6 +207,7 @@ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength); static int not_resumable_sess_cb(SSL *s, int is_forward_secure); static int sv_body(char *hostname, int s, unsigned char *context); static int www_body(char *hostname, int s, unsigned char *context); +static int rev_body(char *hostname, int s, unsigned char *context); static void close_accept_socket(void ); static void sv_usage(void); static int init_ssl_connection(SSL *s); @@ -215,6 +216,9 @@ static int generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len); static void init_session_cache_ctx(SSL_CTX *sctx); static void free_sessions(void); +static int ssl_load_stores(SSL_CTX *sctx, + const char *vfyCApath, const char *vfyCAfile, + const char *chCApath, const char *chCAfile); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); static DH *get_dh512(void); @@ -265,7 +269,7 @@ static int accept_socket= -1; #undef PROG #define PROG s_server_main -extern int verify_depth, verify_return_error; +extern int verify_depth, verify_return_error, verify_quiet; static char *cipher=NULL; static int s_server_verify=SSL_VERIFY_NONE; @@ -274,6 +278,8 @@ static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL; #ifndef OPENSSL_NO_TLSEXT static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL; static char *curves=NULL; +static char *sigalgs=NULL; +static char *client_sigalgs=NULL; #endif static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL; #ifdef FIONBIO @@ -288,6 +294,7 @@ static SSL_CTX *ctx2=NULL; static int www=0; static BIO *bio_s_out=NULL; +static BIO *bio_s_msg = NULL; static int s_debug=0; #ifndef OPENSSL_NO_TLSEXT static int s_tlsextdebug=0; @@ -297,6 +304,7 @@ static int cert_status_cb(SSL *s, void *arg); static int no_resume_ephemeral = 0; static int s_msg=0; static int s_quiet=0; +static int s_brief=0; static char *keymatexportlabel=NULL; static int keymatexportlen=20; @@ -316,8 +324,6 @@ static int cert_chain = 0; #ifndef OPENSSL_NO_TLSEXT static BIO *authz_in = NULL; static const char *s_authz_file = NULL; -static unsigned char *authz = NULL; -static size_t authz_length; #endif #ifndef OPENSSL_NO_PSK @@ -462,6 +468,7 @@ static void s_server_init(void) s_debug=0; s_msg=0; s_quiet=0; + s_brief=0; hack=0; #ifndef OPENSSL_NO_ENGINE engine_id=NULL; @@ -926,7 +933,7 @@ static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, return SSL_TLSEXT_ERR_OK; } -# endif /* ndef OPENSSL_NO_NPN */ +# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ #endif static int not_resumable_sess_cb(SSL *s, int is_forward_secure) @@ -951,6 +958,8 @@ int MAIN(int argc, char *argv[]) int badarg = 0; short port=PORT; char *CApath=NULL,*CAfile=NULL; + char *chCApath=NULL,*chCAfile=NULL; + char *vfyCApath=NULL,*vfyCAfile=NULL; unsigned char *context = NULL; char *dhfile = NULL; #ifndef OPENSSL_NO_ECDH @@ -959,6 +968,8 @@ int MAIN(int argc, char *argv[]) int badop=0,bugs=0; int ret=1; int off=0; + unsigned int cert_flags = 0; + int build_chain = 0; int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; int state=0; const SSL_METHOD *meth=NULL; @@ -973,11 +984,10 @@ int MAIN(int argc, char *argv[]) STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL; EVP_PKEY *s_key = NULL, *s_dkey = NULL; int no_cache = 0, ext_cache = 0; + int rev = 0; #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; -#endif -#ifndef OPENSSL_NO_TLSEXT tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; # ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; @@ -992,6 +1002,11 @@ int MAIN(int argc, char *argv[]) char *srpuserseed = NULL; char *srp_verifier_file = NULL; #endif + SSL_EXCERT *exc = NULL; + + unsigned char *checkhost = NULL, *checkemail = NULL; + char *checkip = NULL; + meth=SSLv23_server_method(); local_argc=argc; @@ -1134,6 +1149,16 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; CApath= *(++argv); } + else if (strcmp(*argv,"-chainCApath") == 0) + { + if (--argc < 1) goto bad; + chCApath= *(++argv); + } + else if (strcmp(*argv,"-verifyCApath") == 0) + { + if (--argc < 1) goto bad; + vfyCApath= *(++argv); + } else if (strcmp(*argv,"-no_cache") == 0) no_cache = 1; else if (strcmp(*argv,"-ext_cache") == 0) @@ -1144,8 +1169,16 @@ int MAIN(int argc, char *argv[]) goto bad; continue; } + else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) + { + if (badarg) + goto bad; + continue; + } else if (strcmp(*argv,"-verify_return_error") == 0) verify_return_error = 1; + else if (strcmp(*argv,"-verify_quiet") == 0) + verify_quiet = 1; else if (strcmp(*argv,"-serverpref") == 0) { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } else if (strcmp(*argv,"-legacy_renegotiation") == 0) @@ -1155,11 +1188,23 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; cipher= *(++argv); } + else if (strcmp(*argv,"-build_chain") == 0) + build_chain = 1; else if (strcmp(*argv,"-CAfile") == 0) { if (--argc < 1) goto bad; CAfile= *(++argv); } + else if (strcmp(*argv,"-chainCAfile") == 0) + { + if (--argc < 1) goto bad; + chCAfile= *(++argv); + } + else if (strcmp(*argv,"-verifyCAfile") == 0) + { + if (--argc < 1) goto bad; + vfyCAfile= *(++argv); + } #ifdef FIONBIO else if (strcmp(*argv,"-nbio") == 0) { s_nbio=1; } @@ -1208,9 +1253,43 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; curves= *(++argv); } + else if (strcmp(*argv,"-sigalgs") == 0) + { + if (--argc < 1) goto bad; + sigalgs= *(++argv); + } + else if (strcmp(*argv,"-client_sigalgs") == 0) + { + if (--argc < 1) goto bad; + client_sigalgs= *(++argv); + } #endif + else if (strcmp(*argv,"-checkhost") == 0) + { + if (--argc < 1) goto bad; + checkhost=(unsigned char *)*(++argv); + } + else if (strcmp(*argv,"-checkemail") == 0) + { + if (--argc < 1) goto bad; + checkemail=(unsigned char *)*(++argv); + } + else if (strcmp(*argv,"-checkip") == 0) + { + if (--argc < 1) goto bad; + checkip=*(++argv); + } else if (strcmp(*argv,"-msg") == 0) { s_msg=1; } + else if (strcmp(*argv,"-msgfile") == 0) + { + if (--argc < 1) goto bad; + bio_s_msg = BIO_new_file(*(++argv), "w"); + } +#ifndef OPENSSL_NO_SSL_TRACE + else if (strcmp(*argv,"-trace") == 0) + { s_msg=2; } +#endif else if (strcmp(*argv,"-hack") == 0) { hack=1; } else if (strcmp(*argv,"-state") == 0) @@ -1219,6 +1298,12 @@ int MAIN(int argc, char *argv[]) { s_crlf=1; } else if (strcmp(*argv,"-quiet") == 0) { s_quiet=1; } + else if (strcmp(*argv,"-brief") == 0) + { + s_quiet=1; + s_brief=1; + verify_quiet=1; + } else if (strcmp(*argv,"-bugs") == 0) { bugs=1; } else if (strcmp(*argv,"-no_tmp_rsa") == 0) @@ -1264,6 +1349,8 @@ int MAIN(int argc, char *argv[]) meth = TLSv1_server_method(); } #endif + else if (strcmp(*argv,"-rev") == 0) + { rev=1; } else if (strcmp(*argv,"-www") == 0) { www=1; } else if (strcmp(*argv,"-WWW") == 0) @@ -1274,12 +1361,12 @@ int MAIN(int argc, char *argv[]) { off|=SSL_OP_NO_SSLv2; } else if (strcmp(*argv,"-no_ssl3") == 0) { off|=SSL_OP_NO_SSLv3; } - else if (strcmp(*argv,"-no_tls1_2") == 0) - { off|=SSL_OP_NO_TLSv1_2; } - else if (strcmp(*argv,"-no_tls1_1") == 0) - { off|=SSL_OP_NO_TLSv1_1; } else if (strcmp(*argv,"-no_tls1") == 0) { off|=SSL_OP_NO_TLSv1; } + else if (strcmp(*argv,"-no_tls1_1") == 0) + { off|=SSL_OP_NO_TLSv1_1; } + else if (strcmp(*argv,"-no_tls1_2") == 0) + { off|=SSL_OP_NO_TLSv1_2; } else if (strcmp(*argv,"-no_comp") == 0) { off|=SSL_OP_NO_COMPRESSION; } #ifndef OPENSSL_NO_TLSEXT @@ -1295,14 +1382,12 @@ int MAIN(int argc, char *argv[]) { meth=SSLv3_server_method(); } #endif #ifndef OPENSSL_NO_TLS1 - else if (strcmp(*argv,"-tls1_2") == 0) - { meth=TLSv1_2_server_method(); } - else if (strcmp(*argv,"-tls1_1") == 0) - { meth=TLSv1_1_server_method(); } else if (strcmp(*argv,"-tls1") == 0) { meth=TLSv1_server_method(); } else if (strcmp(*argv,"-tls1_1") == 0) { meth=TLSv1_1_server_method(); } + else if (strcmp(*argv,"-tls1_2") == 0) + { meth=TLSv1_2_server_method(); } #endif #ifndef OPENSSL_NO_DTLS1 else if (strcmp(*argv,"-dtls1") == 0) @@ -1386,6 +1471,12 @@ int MAIN(int argc, char *argv[]) keymatexportlen=atoi(*(++argv)); if (keymatexportlen == 0) goto bad; } + else if (strcmp(*argv, "-cert_strict") == 0) + cert_flags |= SSL_CERT_FLAG_TLS_STRICT; +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + else if (strcmp(*argv, "-debug_broken_protocol") == 0) + cert_flags |= SSL_CERT_FLAG_BROKEN_PROTCOL; +#endif else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -1443,6 +1534,9 @@ bad: s_key_file2 = s_cert_file2; #endif + if (!load_excert(&exc, bio_err)) + goto end; + if (nocert == 0) { s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e, @@ -1489,51 +1583,24 @@ bad: goto end; } } -# ifndef OPENSSL_NO_NEXTPROTONEG - if (next_proto_neg_in) - { - unsigned short len; - next_proto.data = next_protos_parse(&len, - next_proto_neg_in); - if (next_proto.data == NULL) - goto end; - next_proto.len = len; - } - else - { - next_proto.data = NULL; - } -# endif - if (s_authz_file != NULL) - { - /* Allow authzs up to 64KB bytes. */ - static const size_t authz_limit = 65536; - - authz_in = BIO_new(BIO_s_file_internal()); - if (authz_in == NULL) - { - ERR_print_errors(bio_err); - goto end; - } - - if (BIO_read_filename(authz_in, s_authz_file) <= 0) - { - ERR_print_errors(bio_err); - goto end; - } - authz = OPENSSL_malloc(authz_limit); - authz_length = BIO_read(authz_in, authz, authz_limit); - if (authz_length == authz_limit || authz_length <= 0) - { - BIO_printf(bio_err, "authz too large\n"); - goto end; - } - BIO_free(authz_in); - authz_in = NULL; - } #endif /* OPENSSL_NO_TLSEXT */ } +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + if (next_proto_neg_in) + { + unsigned short len; + next_proto.data = next_protos_parse(&len, next_proto_neg_in); + if (next_proto.data == NULL) + goto end; + next_proto.len = len; + } + else + { + next_proto.data = NULL; + } +#endif + if (s_dcert_file) { @@ -1630,6 +1697,8 @@ bad: if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); SSL_CTX_set_options(ctx,off); + if (cert_flags) SSL_CTX_set_cert_flags(ctx, cert_flags); + if (exc) ssl_ctx_set_excert(ctx, exc); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ @@ -1668,6 +1737,13 @@ bad: if (vpm) SSL_CTX_set1_param(ctx, vpm); + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile)) + { + BIO_printf(bio_err, "Error loading store locations\n"); + ERR_print_errors(bio_err); + goto end; + } + #ifndef OPENSSL_NO_TLSEXT if (s_cert2) { @@ -1703,6 +1779,8 @@ bad: if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); SSL_CTX_set_options(ctx2,off); + if (cert_flags) SSL_CTX_set_cert_flags(ctx2, cert_flags); + if (exc) ssl_ctx_set_excert(ctx2, exc); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ @@ -1828,19 +1906,19 @@ bad: } #endif - if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) + if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT - if (authz != NULL && !SSL_CTX_use_authz(ctx, authz, authz_length)) + if (s_authz_file != NULL && !SSL_CTX_use_authz_file(ctx, s_authz_file)) goto end; #endif #ifndef OPENSSL_NO_TLSEXT - if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) + if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL, build_chain)) goto end; #endif if (s_dcert != NULL) { - if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain)) + if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain)) goto end; } @@ -1947,6 +2025,36 @@ bad: goto end; } } + if (sigalgs) + { + if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs)) + { + BIO_printf(bio_err,"error setting signature algorithms\n"); + ERR_print_errors(bio_err); + goto end; + } + if(ctx2 && !SSL_CTX_set1_sigalgs_list(ctx2,sigalgs)) + { + BIO_printf(bio_err,"error setting signature algorithms\n"); + ERR_print_errors(bio_err); + goto end; + } + } + if (client_sigalgs) + { + if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs)) + { + BIO_printf(bio_err,"error setting client signature algorithms\n"); + ERR_print_errors(bio_err); + goto end; + } + if(ctx2 && !SSL_CTX_set1_client_sigalgs_list(ctx2,client_sigalgs)) + { + BIO_printf(bio_err,"error setting client signature algorithms\n"); + ERR_print_errors(bio_err); + goto end; + } + } #endif SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, @@ -1980,8 +2088,8 @@ bad: if ((ret = SRP_VBASE_init(srp_callback_parm.vb, srp_verifier_file)) != SRP_NO_ERROR) { BIO_printf(bio_err, - "Cannot initialize SRP verifier file \"%s\":ret=%d\n", - srp_verifier_file,ret); + "Cannot initialize SRP verifier file \"%s\":ret=%d\n", + srp_verifier_file, ret); goto end; } SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE,verify_callback); @@ -2001,7 +2109,9 @@ bad: BIO_printf(bio_s_out,"ACCEPT\n"); (void)BIO_flush(bio_s_out); - if (www) + if (rev) + do_server(port,socket_type,&accept_socket,rev_body, context); + else if (www) do_server(port,socket_type,&accept_socket,www_body, context); else do_server(port,socket_type,&accept_socket,sv_body, context); @@ -2017,27 +2127,41 @@ end: EVP_PKEY_free(s_key); if (s_dkey) EVP_PKEY_free(s_dkey); + if (s_chain) + sk_X509_pop_free(s_chain, X509_free); + if (s_dchain) + sk_X509_pop_free(s_dchain, X509_free); if (pass) OPENSSL_free(pass); if (dpass) OPENSSL_free(dpass); free_sessions(); #ifndef OPENSSL_NO_TLSEXT + if (tlscstatp.host) + OPENSSL_free(tlscstatp.host); + if (tlscstatp.port) + OPENSSL_free(tlscstatp.port); + if (tlscstatp.path) + OPENSSL_free(tlscstatp.path); if (ctx2 != NULL) SSL_CTX_free(ctx2); if (s_cert2) X509_free(s_cert2); if (s_key2) EVP_PKEY_free(s_key2); - if (authz != NULL) - OPENSSL_free(authz); if (authz_in != NULL) BIO_free(authz_in); #endif + ssl_excert_free(exc); if (bio_s_out != NULL) { BIO_free(bio_s_out); bio_s_out=NULL; } + if (bio_s_msg != NULL) + { + BIO_free(bio_s_msg); + bio_s_msg = NULL; + } apps_shutdown(); OPENSSL_EXIT(ret); } @@ -2192,8 +2316,13 @@ static int sv_body(char *hostname, int s, unsigned char *context) } if (s_msg) { - SSL_set_msg_callback(con, msg_cb); - SSL_set_msg_callback_arg(con, bio_s_out); +#ifndef OPENSSL_NO_SSL_TRACE + if (s_msg == 2) + SSL_set_msg_callback(con, SSL_trace); + else +#endif + SSL_set_msg_callback(con, msg_cb); + SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out); } #ifndef OPENSSL_NO_TLSEXT if (s_tlsextdebug) @@ -2295,7 +2424,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) } else i=raw_read_stdin(buf,bufsize); - if (!s_quiet) + if (!s_quiet && !s_brief) { if ((i <= 0) || (buf[0] == 'Q')) { @@ -2505,12 +2634,12 @@ static int init_ssl_connection(SSL *con) X509 *peer; long verify_error; MS_STATIC char buf[BUFSIZ]; +#ifndef OPENSSL_NO_KRB5 + char *client_princ; +#endif #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) const unsigned char *next_proto_neg; unsigned next_proto_neg_len; -#endif -#ifndef OPENSSL_NO_KRB5 - char *client_princ; #endif unsigned char *exportedkeymat; @@ -2543,11 +2672,16 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_err,"verify error:%s\n", X509_verify_cert_error_string(verify_error)); } - else - ERR_print_errors(bio_err); + /* Always print any error messages */ + ERR_print_errors(bio_err); return(0); } + if (s_brief) + print_ssl_summary(bio_err, con); + + print_ssl_cert_checks(bio_err, con, checkhost, checkemail, checkip); + PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con)); peer=SSL_get_peer_certificate(con); @@ -2566,7 +2700,7 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); ssl_print_sigalgs(bio_s_out, con); - ssl_print_curves(bio_s_out, con); + ssl_print_curves(bio_s_out, con, 0); BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) @@ -2730,6 +2864,7 @@ static int www_body(char *hostname, int s, unsigned char *context) } SSL_set_bio(con,sbio,sbio); SSL_set_accept_state(con); + /* SSL_set_fd(con,s); */ BIO_set_ssl(ssl_bio,con,BIO_CLOSE); BIO_push(io,ssl_bio); @@ -2745,8 +2880,13 @@ static int www_body(char *hostname, int s, unsigned char *context) } if (s_msg) { - SSL_set_msg_callback(con, msg_cb); - SSL_set_msg_callback_arg(con, bio_s_out); +#ifndef OPENSSL_NO_SSL_TRACE + if (s_msg == 2) + SSL_set_msg_callback(con, SSL_trace); + else +#endif + SSL_set_msg_callback(con, msg_cb); + SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out); } for (;;) @@ -2903,7 +3043,7 @@ static int www_body(char *hostname, int s, unsigned char *context) BIO_puts(io,"\n"); } ssl_print_sigalgs(io, con); - ssl_print_curves(io, con); + ssl_print_curves(io, con, 0); BIO_printf(io,(SSL_cache_hit(con) ?"---\nReused, " :"---\nNew, ")); @@ -3097,6 +3237,146 @@ err: return(ret); } +static int rev_body(char *hostname, int s, unsigned char *context) + { + char *buf=NULL; + int i; + int ret=1; + SSL *con; + BIO *io,*ssl_bio,*sbio; +#ifndef OPENSSL_NO_KRB5 + KSSL_CTX *kctx; +#endif + + buf=OPENSSL_malloc(bufsize); + if (buf == NULL) return(0); + io=BIO_new(BIO_f_buffer()); + ssl_bio=BIO_new(BIO_f_ssl()); + if ((io == NULL) || (ssl_bio == NULL)) goto err; + + /* lets make the output buffer a reasonable size */ + if (!BIO_set_write_buffer_size(io,bufsize)) goto err; + + if ((con=SSL_new(ctx)) == NULL) goto err; +#ifndef OPENSSL_NO_TLSEXT + if (s_tlsextdebug) + { + SSL_set_tlsext_debug_callback(con, tlsext_cb); + SSL_set_tlsext_debug_arg(con, bio_s_out); + } +#endif +#ifndef OPENSSL_NO_KRB5 + if ((kctx = kssl_ctx_new()) != NULL) + { + kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC); + kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB); + } +#endif /* OPENSSL_NO_KRB5 */ + if(context) SSL_set_session_id_context(con, context, + strlen((char *)context)); + + sbio=BIO_new_socket(s,BIO_NOCLOSE); + SSL_set_bio(con,sbio,sbio); + SSL_set_accept_state(con); + + BIO_set_ssl(ssl_bio,con,BIO_CLOSE); + BIO_push(io,ssl_bio); +#ifdef CHARSET_EBCDIC + io = BIO_push(BIO_new(BIO_f_ebcdic_filter()),io); +#endif + + if (s_debug) + { + SSL_set_debug(con, 1); + BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); + BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); + } + if (s_msg) + { +#ifndef OPENSSL_NO_SSL_TRACE + if (s_msg == 2) + SSL_set_msg_callback(con, SSL_trace); + else +#endif + SSL_set_msg_callback(con, msg_cb); + SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out); + } + + for (;;) + { + i = BIO_do_handshake(io); + if (i > 0) + break; + if (!BIO_should_retry(io)) + { + BIO_puts(bio_err, "CONNECTION FAILURE\n"); + ERR_print_errors(bio_err); + goto end; + } + } + BIO_printf(bio_err, "CONNECTION ESTABLISHED\n"); + print_ssl_summary(bio_err, con); + + for (;;) + { + i=BIO_gets(io,buf,bufsize-1); + if (i < 0) /* error */ + { + if (!BIO_should_retry(io)) + { + if (!s_quiet) + ERR_print_errors(bio_err); + goto err; + } + else + { + BIO_printf(bio_s_out,"read R BLOCK\n"); +#if defined(OPENSSL_SYS_NETWARE) + delay(1000); +#elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__) + sleep(1); +#endif + continue; + } + } + else if (i == 0) /* end of input */ + { + ret=1; + BIO_printf(bio_err, "CONNECTION CLOSED\n"); + goto end; + } + else + { + char *p = buf + i - 1; + while(i && (*p == '\n' || *p == '\r')) + { + p--; + i--; + } + BUF_reverse((unsigned char *)buf, NULL, i); + buf[i] = '\n'; + BIO_write(io, buf, i + 1); + for (;;) + { + i = BIO_flush(io); + if (i > 0) + break; + if (!BIO_should_retry(io)) + goto end; + } + } + } +end: + /* make sure we re-use sessions */ + SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); + +err: + + if (buf != NULL) OPENSSL_free(buf); + if (io != NULL) BIO_free_all(io); + return(ret); + } + #ifndef OPENSSL_NO_RSA static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) { @@ -3254,7 +3534,36 @@ static void free_sessions(void) } first = NULL; } - + +static int ssl_load_stores(SSL_CTX *sctx, + const char *vfyCApath, const char *vfyCAfile, + const char *chCApath, const char *chCAfile) + { + X509_STORE *vfy = NULL, *ch = NULL; + int rv = 0; + if (vfyCApath || vfyCAfile) + { + vfy = X509_STORE_new(); + if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath)) + goto err; + SSL_CTX_set1_verify_cert_store(ctx, vfy); + } + if (chCApath || chCAfile) + { + ch = X509_STORE_new(); + if (!X509_STORE_load_locations(ch, chCAfile, chCApath)) + goto err; + /*X509_STORE_set_verify_cb(ch, verify_callback);*/ + SSL_CTX_set1_chain_cert_store(ctx, ch); + } + rv = 1; + err: + if (vfy) + X509_STORE_free(vfy); + if (ch) + X509_STORE_free(ch); + return rv; + }